Threat Description

Backdoor:W32/Haxdoor.KI

Details

Summary

A remote administration utility which bypasses normal security mechanisms to secretly
control a program, computer or network.

Removal

Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

Detailed instructions for F-Secure security products are available in the documentation found in the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.

Technical Details

Backdoor:W32/Haxdoor.KI is a powerful backdoor with rootkit and spying capabilities.
It can hide its presence, processes and files, on an infected system.

Update - August 25 2006:

The Russia-based skyinet.info website that the backdoor connects to offers a URL that points to a file named samki.exe.This
file contains a nasty payload that damages Windows beyond repair (it renames several
files that represent the key Windows components, for example kernel32.dll, explorer.exe
and so on, and destroys the Registry database). After system restart, Windows becomes
unbootable and damaged beyond repair.This file can be downloaded and launched by a
hacker to destroy all infected computers when the time comes. We have added detection
for the payload file into the 2006-08-25_04 update. Amusingly, Haxdoor.KI can still
play such dumb tricks on a user as opening and closing of CD-ROM tray. This is a heritage
from the older backdoors like Deep Throat, NetBus, SubSeven and others.

Update - 17 August 2006:

We received numerous reports of Haxdoor.KIbeing spammed as an e-mail attachment, in
an archive file named rakningen.zip. The backdoor's file, located inside the archive,
is named rakningen.exe (Swedish language) We also have a report that it was spammed
inside an archive named rechnung.zip as rechnung.exe. (German language).

Propagation

HaxDoor.KI was spammed to a large amount of people in e-mail messages with the following
characteristics:

Installation

When the backdoor's file (rechnung.exe or rakningen.exe) is run, it silently drops
5 files to the Windows System folder:

qo.dll

qo.sys

xdpptp.sys

xopptp.dll

xopptp.sys

The DLL files are identical to each other, as are the SYS files. During its operation
the backdoor creates several different files where it stores stolen data. Those files
are encrypted.When the backdoor is active, all its files are hidden with the help
of rootkit techniques. Also, if the backdoor injected its code into the Windows Explorer
process, it hides the Explorer.exe process. Otherwise if the backdoor started as a
component of the Winlogon process, usually after a system reboot, it hides the Winlogon.exe
process. F-Secure products that have an anti-rootkit engine, for example F-Secure
Internet Security, can detect and remove the backdoor successfully.

Registry

The DLL files represent the main backdoor's components. To make sure that the backdoor
is started every time Windows boots, the Winlogon Notification key for the backdoor's
"xopptp.dll" file is added into the Registry:

This allows the backdoor to start even before a user logs on. Also the backdoor's
driver, a file named xdpptp.sys, is registered as a system driver to be loaded even
in the minimal configuration (Safe Boot):

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\xdpptp.sys]

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\xdpptp.sys]

[HKLM\System\ControlSet00?\Control\SafeBoot\Minimal\xdpptp.sys]

[HKLM\System\ControlSet00?\Control\SafeBoot\Network\xdpptp.sys]

In addition, the backdoor's driver can be registered as a service with the following
attributes:

Activity

It looks like the main purpose of this backdoor, that was created by the virus writer
who calls himself 'Corpse', is spying against the users of infected computers.The
stolen info, which includes various logins, passwords, on-line payment systems account
details and so on, is sent to a hacker, who can (and probably does) sell it to other
criminals.At the same time the extensive backdoor capabilities and the set of remote
control tools that is offered by the virus writer on a commercial basis, makes this
malware suitable for spammers, phishers and other computer criminals.The backdoor
collects and sends the following information to a hacker:

IMAP passwords

IMAP server name

IMAP user name

Inetcomm server passwords

Outlook account passwords

POP passwords

POP server name

POP user name

Protected storage passwords

The Bat! passwords

Windows registration info

The backdoor can also steal cached MSN, Miranda, ICQ and Webmoney passwords as well
as RAS phone numbers and other info related to RAS (username, password, domain, DNS
settings).The backdoor monitors web forms accessed from the infected machine. If the
URL or the data inside of the web pages match to a fixed list of online bank-related
keywords, then the backdoor will post the content of the form to a server via a web
site at the address of skynet.info.In addition, the backdoor can steal information
related to E-Gold, Ebay, and PayPay accounts. These services are widely used for online
payments around the world.Being active, the backdoor injects itself into the processes
with the following names:

explorer.exe

icq.exe

iexplore.exe

mozilla.exe

msn.exe

myie.exe

opera.exe

outlook.exe

thebat.exe

The backdoor listens on TCP port 16661 for commands from a remote host. A hacker can
connect to that port and control the backdoor's behaviour. The backdoor allows a hacker
to do any of the following:

Upload a specified file to a hacker

Download a file from a specified location

View contents of a specified file

Find any specified file (masks supported)

Start any specified file

List files and directories

Create directories with specified names

Send an e-mail with a specified text

Show a messagebox with a specified text

Full access to Windows Registry

Enable or disable keylogger, check keylogger status

Copy data to and from clipboard

Set cursor position

Enable or disable keyboard

Copy, delete, move, get and set attributes to a specified file

List and kill processes, set priority for a specified process

Enable and disable hard disks and floppy drives

Get and set local time

Set doubleclick time

Swap mouse buttons

Take a screenshot from a desktop

Play specified media files

Show specified bitmap files

Change a title of a specified window

Send a message to any application window

Create and start services

Play a beep sound

Log off, shutdown and restart Windows

Change color scheme

Open or close CD-ROM tray

Unload from memory or uninstall itself from a computer

Password authentication for a backdoor operator

Get information about an infected system

Hide additional files and processes (uses a driver)

Start HTTP proxy server listening on TCP port 8008

Start SOCKS v4/5 proxy server listening on TCP port 7080

The backdoor also starts a command shell (cmd.exe) listening on TCP port 16016.The
backdoor blocks connections from an infected computer to the following sites that
mostly belong to anti-virus vendors:

avp.ch

avp.com

avp.ru

awaps.net

customer.symantec.com

dispatch.mcafee.com

download.mcafee.com

engine.awaps.net

f-secure.com

ftp.kaspersky.ru

ftp.sophos.com

kaspersky.com

kaspersky.ru

kaspersky-labs.com

liveupdate.symantec.com

liveupdate.symantecliveupdate.com

mast.mcafee.com

mcafee.com

my-etrust.com

networkassociates.com

phx.corporate-ir.net

rads.mcafee.com

securityresponse.symantec.com

service1.symantec.com

sophos.com

spd.atdmt.com

symantec.com

trendmicro.com

u2.eset.com

update.symantec.com

updates.drweb-online.com

updates.symantec.com

us.mcafee.com

virustotal.com

In addition, it terminates the following security-relayed processes:

atrack.exe

FwAct.exe

iamapp.exe

jamapp.exe

mpfagent.exe

mpftray.exe

outpost.exe

vsmon.exe

zapro.exe

zlclient.exe

The backdoor disables the VFILT and WSCSVC services to bypass Outpost and Windows
Firewalls.And finally, the backdoor can modify the following settings of Internet
Explorer:

Default search URL

First homepage

Local page

Search page

Start page

Detection

F-Secure Anti-Virus detects this malware with the the following updates:

Detection Type: PC
Database: 2006-08-17_02

SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis